# Linux Host ### RPC Client ```bash # Authenticate using username and password to domain Marvel rpcclient -U "Marvel\hsaad%P@ssw0rd" 10.0.2.100 # Authenticate using Null Session rpcclient -U "" -N 10.0.2.6 # Enumerate Domain Info > enumdomains > querydominfo > srvinfo # Enumerate Domain Users > enumdomusers > queryuser hsaad // OR through rid {0x501} # Enumerate Password Policy > getdompwinfo # Enumerate Domain Groups > enumdomgroups > enumalsgroups domain > querygroup 0x5a0a # Enumerate Local Groups > enumalsgroups builtin # Enumerate Groups Members > querygroupmem 0x5a0 > queryaliasmem builtin|domain 0x5a0 # Enumerate Users Groups > queryusergroups 0x501 # Enumerate the members of administrators and RDP local groups > queryaliasmem builtin 0x220 // Administrators group members > queryaliasmem builtin 0x22b // Remote Desktop Users group members ``` ### SMBclient ```bash # Test Open Shares smbclient -U "Marvel\hsaad%P@ssw0rd" -L 10.0.2.6 # Access Shares smbclient -U "Marvel\hsaad%P@ssw0rd" \\\\172.31.2.112\\SYSVOL # Script to Automate for ip in $(cat ips.txt);do (smbclient -U "Marvel\hsaad%P@ssw0rd" -L $ip | grep Disk | cut -d " " -f 1 | sed 's/\t//' | while read shares;do echo "\\\\\\\\$ip\\\\"$shares | tee -a shares.txt;done) & sleep 1 done cat shares.txt | while read share;do echo $share >> shares-files.txt smbclient -U "Marvel\hsaad%P@ssw0rd" $share -c "dir" | tee -a shares-files.txt; done ``` ### Enum4Linux ```bash enum4linux -u Marvel/hsaad -p P@ssw0rd -a 10.0.2.100 # enumerate all enum4linux -u Marvel/hsaad -p P@ssw0rd -U 10.0.2.100 # enumerate users enum4linux -u Marvel/hsaad -p P@ssw0rd -G 10.0.2.100 # enumerate groups enum4linux -u Marvel/hsaad -p P@ssw0rd -P 10.0.2.100 # enumerate password policy enum4linux -u Marvel/hsaad -p P@ssw0rd -S 10.0.2.100 # enumerate shares enum4linux -a 10.0.2.100 # enumerate all using null session if exists ``` ### CrackMapExec ```bash # Find local admin on IP list based on username and password for line in $(cat IP.txt);do crackmapexec smb $line -d Marvel.local -u hsaad -p P@ssw0rd | tee -a crack.log & sleep 2; done ``` ### Hydra ```bash # Find RDP access on IP list based on username and password for line in $(cat IP.txt);do hydra -l hsaad -p P@ssw0rd -m Marvel.local -t 1 $line rdp | tee -a hydra.log & sleep 2; done ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/red-teaming/domain-reconnaissance/linux-host.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.